|
|
| |
Credit:
The information has been provided by Secunia Research.
The original article can be found at: http://secunia.com/secunia_research/2008-31/
|
| |
Vulnerable Systems:
* Trend Micro OfficeScan version 7.0
* Trend Micro OfficeScan version 7.3
* Trend Micro OfficeScan version 8.0
* Worry-Free Business Security version 5.0
* Trend Micro Client/Server/Messaging Suite version 3.5
* Trend Micro Client/Server/Messaging Suite version 3.6
The vulnerability is caused by insufficient entropy being used to create a random session token for identifying an authenticated manager using the web management console. The entropy in the session token comes solely from the system time when the real manager logs in with a granularity of one second. This can be exploited to impersonate a currently logged on manager by brute forcing the authentication token.
Successful exploitation further allows execution of arbitrary code via manipulation of the configuration.
Solution:
The vendor has issued patches for Trend Micro OfficeScan 8.0 and Worry-Free Business Security 5.0.
Fixes for other affected versions should be available shortly.
Time Table:
12/08/2008 - Vendor notified.
12/08/2008 - Vendor response.
16/08/2008 - Vendor provides status update.
22/08/2008 - Vendor issues patches for some of the affected products.
22/08/2008 - Public disclosure.
CVE Information:
CVE-2008-2433
|
|
|
